What type of data are you encoding? Plain text? Are you looking for an encoding scheme for the data to be transmitted to make the variances look more random?
–
HeatfanJohnOct 7 '12 at 2:27

@HeatfanJohn as shown in the code, I use plaintext encoding in ASCII. The direction I'm going to is improving how to map the bit 1 and 0 to the packet delay. The code is the second improvement, the first is use certain delay time to represent 1 and 0, like 0.3ms is bit 0 ', 0.6ms is bit 1`. which obviously raise suspicion, the chart will show only 2 hight, thus easily to be broken. So you can see what direction I'm heading into
–
mkoOct 7 '12 at 4:19

1 Answer
1

With Steganography, we take a short message, and embed that into a much larger signal, with the goal being that someone seeing the larger signal cannot tell that there's the embedded message. Now, this larger signal (which might be JPEG, a handwritten message, or in your case, interpacket delays) has a natural distribution; one way of viewing the goal of Steganography is that we want to generate an artificial signal; we pick it in such a way to mimic the natural distribution (so that someone cannot tell that we picked it artificially), however the precise signal we did pick encodes the message we want.

Usually, we do Steganography by taking a real signal, and tweaking it slightly to form the artificial signal. The hope is that the tweaks do not move the signal significantly out of the natural distribution (at least, not enough to be detectable). This means that we don't have to understand the entire natural distribution (e.g. if we were embedding our messages into JPEG files, which files would look plausible and which wouldn't); instead, we just need to understand it well enough to know which tweaks don't disrupt the distribution detectably.

However, that's not what you're doing. You don't have a real signal (that is, there is no original interpacket delay source); you are individually crafting the interpacket delays yourself. In that case, you really need to answer the question "what does the natural distribution look like"; that is, what do real interpacket delays look like?

Well, we could guess what these delays might look like (perhaps approximately normal distributed with a certain mean and standard deviation), however if you are serious about this, you will need to actually select a real packet source, and measure the delays. This is more subtle than just measuring the distribution of delays; it also involves (at least) looking at the short term correlations between delays.

Once you have a reasonable model of the probability distribution of a real source, it should not be difficult to craft a way of selecting an element from that distribution. However, until you have such a model, you really don't have much hope of fooling an intelligent evesdropper who is actively looking for a signal.